Blockchain

The importance of protecting Identity, Integrity and Data Security policies of participating IoT nodes in the Blockchain network

“A blockchain network is only as secure as its infrastructure”

Blockchain Hype

With the hype and popularity of crypto currencies, there has been tremendous publicity about Blockchain, the distributed ledger technology and how it is being used in various industries. Some people and organizations talk about it as a breakthrough solution for addressing IoT security and performance issues. However, Blockchain relies heavily on Public Key Infrastructure (PKI). It doesn’t have a security model defined to secure the participating nodes and associated PKI keys. We need to understand the inherent security risks in Blockchain before we claim victory on its applicability for Enterprise IoT use cases.

In the past, several users have publicly complained of stolen private keys and Bitcoins. There isn’t any assurance on the security posture of the nodes in the network. There may be countless participating Blockchain nodes running on Operating Systems without the latest patches. What are the consequences of that?

What is Blockchain?

Blockchain, a distributed ledger technology, is a chain of digital “blocks” that contain transactions records. Each block typically contains a hash pointer as a link to a previous block, a timestamp and transaction data. This makes it difficult to tamper with a single record because a hacker would need to change the block containing that record as well as those linked to it to avoid detection.

The records on a blockchain are secured through cryptography. Network participants have their own private keys that are assigned to the transactions they make and act as a personal digital signature. If a record is altered, the signature will become invalid and the peer network will know right away that something has happened. It would require huge amounts of computing power to access every instance (or at least a 51 percent majority) of a certain blockchain and alter them all at the same time.

This is the real value of Blockchain; providing immutable trust for transactions. However, there are other conditions and requirements to consider when you want to use Blockchain for Enterprise IoT.

What’s the difference between Public and Private Blockchain?

To understand the inherent security risks in blockchain technology, it’s important to understand the difference between public and private Blockchains. The sole distinction between public and private Blockchain is related to who can participate in the network

A public Blockchain network is completely open and anyone can join and participate in the network. Crypto currency models like Bitcoin rely on public Blockchain, to read or write transactions. In a Bitcoin system, because no user is implicitly trusted to verify transactions, all users follow an algorithm that verifies transactions by committing software and hardware.

A private Blockchain networks requires an invitation and must be validated by either the network starter or by a set of rules put in place by the network starter. This places restriction on who can participate in the network, and only in certain transactions. Once an entity has joined the network, it will play a role in maintaining the Blockchain in a decentralized manner.

Private Blockchains for Enterprises

Address the security of the participating nodes and infrastructure

Private Blockchains offer a degree of control over participating nodes and the transaction verification process, more suitable for Enterprise use cases. Private Blockchains use identity to confirm membership and access privileges, and so the participants in the network know exactly who they are dealing with. These systems are in the evolution stage, many of them need to address security of the system and the assets it manages or stores. This is no different from traditional Enterprise security to manage the infrastructure associated with the network. As an example, it is fundamental to protect the private key of the participating node.

An Enterprise private blockchain consists of a permissioned network in which consensus can be achieved through a process called “selective endorsement,” where known users/peers verify the transactions. The advantage of this for businesses is that only participants with the appropriate access and permissions can maintain the transaction ledger. This calls for traditional Enterprise IAM (Identity and Access Management) features extended to participating nodes. The identity management is implemented with PKI Digital Certificates. Each participating organization or service provider is responsible for implementing the right IAM and CA functionality. Also, the infrastructure that runs the blockchain application needs standard IT security controls for preventing un-authorized access.

If an attacker can gain access to the Enterprise blockchain network, they are more likely to gain access to the data. The original Blockchain technology was created without specific access controls due to its public nature. For the Enterprise use cases with private Blockchain, the data confidentiality and access controls are very important. To manage this Enterprises, follow suitable key management and access policy procedures.

Device Authority can help secure Enterprise IoT and Blockchain

Device Authority specializes in device-centric IAM with a focus on automated PKI and security management functions for IoT devices and data. Our KeyScaler platform delivers the device and data trust at scale for any Enterprise Blockchain implementation.

KeyScaler addresses IAM for Blockchain implementations. The key problems that are addressed by KeyScaler include: